I am building a Grails app and am using spring-security-core-3.2.0 and spring-security-rest/2.0.0. All is working fine and I can login to my web-app and I can also use the JWT token to authenticate/communicate in a RESTful way. However, with the REST calls, I'm still getting a JSESSIONID token. Since REST is stateless, I wouldn't expect a session. I can't seem to find a configuration option for this. Is there a way to disable sessions from being created for RESTful calls?
This is how I see I'm getting a session:
curl -D headers.txt -H "Content-Type: application/json" -X POST -d '{"username":"xxxxx","password":"xxxxxx"}' http://xxxx:8080/api/login
Inspecting headers.txt, I see:
HTTP/1.1 200
Cache-Control: no-store
Pragma: no-cache
Set-Cookie: JSESSIONID=3004A67F66933E639E68D79FA1E1CA88; Path=/; HttpOnly
Content-Type: application/json;charset=UTF-8
Content-Length: 2247
Date: Sun, 12 Nov 2017 16:57:40 GMT
I found the answer in the documentation of all places. :-)
It's all about the filter chain and which url patterns should be stateless and which ones not. I added the following map to application.groovy in the grails.plugin.springsecurity.filterChain.chainMap :
[pattern: '/api/**',
filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
]
Full setting:
grails.plugin.springsecurity.filterChain.chainMap = [
[pattern: '/assets/**', filters: 'none'],
[pattern: '/**/js/**', filters: 'none'],
[pattern: '/**/css/**', filters: 'none'],
[pattern: '/**/images/**', filters: 'none'],
[pattern: '/**/favicon.ico', filters: 'none'],
[pattern: '/api/**',
filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
],
[pattern: '/**', filters: 'JOINED_FILTERS']
]